recommended reading

Report: Fifty-eight percent of Energy computers went months without bug fixes

Simon Booth/Shutterstock.com

A perhaps disturbing summation of the state of federal cyber security: An internal audit found nearly 60 percent of Energy Department desktop computers were missing critical software patches -- and those findings don’t surprise security experts.

Officials risk disrupting agency business by applying patches because fixes likely would require pausing widely used programs, said Patrick Miller, chief executive officer of EnergySec, a federally funded public-private partnership.

The inspector general audit, which was released this week, covered unclassified systems at administrative offices departmentwide.

“It would actually be more damaging to the organization to patch it than to not patch it,” Miller said. “The reality is most organizations, the larger they get, the harder it is for them to manage their patching.” It is unclear whether the department compensated for holes by using other safeguards, such as firewalls.

The assessment revealed that many desktops and servers were running without security patches. Department-level systems handle budgeting and human resources data, as well as information on public-private investments, such as the controversial economic stimulus loan to solar power firm Solyndra. The now-bankrupt recipient of a more than $500 million Recovery Act award obtained court approval Thursday to sell its headquarters for $90 million.

About 58 percent of the Energy desktops tested used operating systems or software without fixes for weaknesses that had been discovered, in some cases, up to six months earlier. Also, 41 network servers were running operating systems no longer supported by their developers.

But, Miller said, defects are typical at fiscally strained federal agencies that are overseeing massive networks. “Those numbers are quite low for an agency of its size,” he said.  

Some of the flawed systems operate critical department operations, though the report did not identify specific activities.

“These vulnerabilities could have resulted in a compromise of business information or unauthorized access to critical application functionality and data, as well as loss or disruptions of critical operations,” Energy Inspector General Gregory H. Friedman wrote.

Systems that run federal utilities and handle nuclear testing were not part of the evaluation.

The probe was conducted between February and November and examined facilities overseen by the undersecretary for nuclear security, undersecretary of energy and undersecretary for science.

A separate agency, the Health, Safety and Security Office of Enforcement and Oversight, studies cyber controls for Energy national security systems.

The study did not try to spot actual breaches.

In a Nov. 5 response to a draft report, Energy Chief Information Officer Robert Breese agreed to follow up on the uncovered problems. “The weaknesses noted in this report have been reviewed and corrective actions, to include the implementation of appropriate controls, have been identified,” he wrote. Energy offices will be expected to report quarterly to the CIO on their progress bolstering systems.

Systems powering federal utilities have come under the IG’s microscope several times during the past year.

In late October, the inspector general reported that the government's largest renewable power delivery agency was using a default password to protect a scheduling database, and regularly failed to update security software. The Western Area Power Administration distributes hydroelectric energy to utilities serving millions of homes and businesses in the Rocky Mountain, Sierra Nevada, Great Plains and Southwest regions.

Cyber experts said weaknesses flagged in a March audit of a Northwestern utility that powers 30 percent of the region, including key military installations, are typical of many government and industry energy systems. Eleven servers at the federal Bonneville Power Administration in Portland, Ore., used weak passwords, "an issue that could have allowed a knowledgeable attacker to obtain complete access to the system," the IG report stated.

Officials from Energy, the Homeland Security Department and the White House will highlight actions undertaken to help public and private sector utilities prioritize defenses at a  Washington event on Nov. 27 hosted by Government Executive Media Group.

(Image via Simon Booth/Shutterstock.com)

Threatwatch Alert

Thousands of cyber attacks occur each day

See the latest threats

JOIN THE DISCUSSION

Close [ x ] More from Nextgov
 
 

Thank you for subscribing to newsletters from Nextgov.com.
We think these reports might interest you:

  • Modernizing IT for Mission Success

    Surveying Federal and Defense Leaders on Priorities and Challenges at the Tactical Edge

    Download
  • Communicating Innovation in Federal Government

    Federal Government spending on ‘obsolete technology’ continues to increase. Supporting the twin pillars of improved digital service delivery for citizens on the one hand, and the increasingly optimized and flexible working practices for federal employees on the other, are neither easy nor inexpensive tasks. This whitepaper explores how federal agencies can leverage the value of existing agency technology assets while offering IT leaders the ability to implement the kind of employee productivity, citizen service improvements and security demanded by federal oversight.

    Download
  • Effective Ransomware Response

    This whitepaper provides an overview and understanding of ransomware and how to successfully combat it.

    Download
  • Forecasting Cloud's Future

    Conversations with Federal, State, and Local Technology Leaders on Cloud-Driven Digital Transformation

    Download
  • IT Transformation Trends: Flash Storage as a Strategic IT Asset

    MIT Technology Review: Flash Storage As a Strategic IT Asset For the first time in decades, IT leaders now consider all-flash storage as a strategic IT asset. IT has become a new operating model that enables self-service with high performance, density and resiliency. It also offers the self-service agility of the public cloud combined with the security, performance, and cost-effectiveness of a private cloud. Download this MIT Technology Review paper to learn more about how all-flash storage is transforming the data center.

    Download

When you download a report, your information may be shared with the underwriters of that document.